The Agent Skills Directory

[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests untrusted user goals and existing project file content to generate instructions for subsequent agent runs.
Ingestion points: User-provided goals via the $ARGUMENTS placeholder and project files accessed through Read, Grep, and Glob tools.
Boundary markers: The skill outputs a strict JSON manifest which provides structural delimitation; however, it lacks explicit instruction to sanitize or ignore embedded instructions within the user-provided goal field.
Capability inventory: The tool is permitted to create directories (mkdir) and write files (Write) within the project's .claude/squad/runs/ directory.
Sanitization: No specific sanitization or filtering logic is defined for the ingested data before it is written into the manifest's goal or rationale fields.
Mitigation: The risk is considered low and consistent with the skill's primary purpose of planning and task translation; the limited toolset (restricted Bash and file Write access) prevents direct exploitation at the planning stage.

decompose